----Votre Secrets, Monsieur?
"AS THE 20TH CENTURY DRAWS TO A CLOSE, a country's economic power has become more essential to its survival than its military prowess. This increased emphasis on market dominance means the world's intelligence services are refocusing their efforts from collecting the traditional political and military material to collecting economic, scientific, technological, and business information. One intelligence service that has become synonymous with this new effort is the French government's General Directorate of External Security (DGSE)."

"The idea of the French using their intelligence service to obtain scientific, economic, and technological information from friendly countries is not new. Returning to power in 1958, President Charles de Gaulle indicated that the Service for External Documentation and Counterespionage (SDECE), the then French intelligence agency, needed to focus on obtaining technological information about the United States and other Western countries."

WIKILEAKS: France leads Russia, China in Industrial Spying in Europe
"Back in 2001, European leaders accused the United States government of operating a vast industrial espionage network that was eavesdropping on European businesses and giving trade secrets to American companies. According to the latest WikiLeaks cable release, they should have been looking internally."

"France is the country that conducts the most industrial espionage on other European countries, even ahead of China and Russia, according to leaked U.S. diplomatic cables, reported in a translation by Agence France Presse of Norwegian daily Aftenposten's reporting."

"French espionage is so widespread that the damages (it causes) the German economy are larger as a whole than those caused by China or Russia," an undated note from the U.S. embassy in Berlin said."

Next Up for France: Police Keyloggers and Web Censorship
"Having just passed its super-controversial Internet "graduated response" law, you might think the French government would take at least a brief break from riling up the "internautes." Instead, the government is prepping a new crime bill that will, among other things, mandate Internet censorship at the ISP level, legalize government spyware, and create a massive meta-database of citizen information called "Pericles."

Friday, June 28, 2013

On June 18th, the Moscow trial of ChronoPay owner Paul Wroblewski revealed that the Federal Security Service of Russia (FSB Russia) hacked into Facebookservers to collect information used in Wroblewski’s trial. Wroblewski is currently on trial for conducting Distributed Denial of Service (DDoS) attacks on the servers of a rival online payment system in 2010. The backstory of the trial is rife with the usual Russian allegations of corruption and security service malfeasance. Indeed, on June 18th Wroblewski’s lawyer Pavel Zaitsev protested the inclusion of correspondence that the FSB obtained by hacking Wroblewski’s Facebook account. According to a letter presented to the court, the FSB first requested the information through official channels. The FSB then hacked into the Facebook account as part of“Operational Search Measures” when the request was denied. The court acknowledged that the FSB bypassed international conventions and treaties, however, the information was allowed as evidence.

The FSB Information Security Center—also known as Military Unit (Vch) 64829—conducted the Facebook intrusion. The Information Security Center is located in the FSB Counterintelligence Directorate—the 2nd Directorate—and monitors the Russian Internet. Taia Global analysis, however, long assessed the Information Security Center capable of offensive operations. Indeed, President Putin’s Edict No. 31 of 15 February 2013 tasked the FSB with establishing a nationwide system for protecting Russia’s critical information infrastructure. The mission included handling the exchange of information with foreign governments and authorities. Russian press speculates that the FSB Information Security Center—and other FSB components such as Scientific Research Center No. 3—will form the basis for the new structure.

Wednesday, June 26, 2013

Here's some un-solicited advice to pretty much everyone inside the Beltway. Please stop whining about China's hacking activities while rationalizing our own. No one else in the world has committed the scope or scale of cyber espionage that the NSA apparently has done against so many foreign states. No one else in the world has sabotaged another nation's uranium fuel enrichment facility. PRISM (and TIA before it) betrayed the same rights to privacy that China and Russia have done to their populations using similar technology and for the exact same reasons (to protect themselves from terrorists and threats to their respective governments).

For you to say that all of the above is OK for us to do but at least we don't steal other companies' intellectual property is utterly ridiculous and makes a distinction without a difference. While the U.S. government may not be interested in stealing a Russian company's IP, that's probably because we don't have any state-owned businesses. After all, U.S. companies certainly steal from others and have for many years. If those same CEOs ran businesses owned by the U.S. government (like EDF in France), I guarantee you that the U.S. government would be as eager to engage in "technology transfer" as China is or like the French government is, etc.

Moralist pronouncements from nation states almost always come across as hypocritical, heavy-handed, and pompous because the business of running a country and protecting its people and its assets is not a moral mission; it's a pragmatic mission. The federal government does what's necessary to keep the U.S. in a superior position in the world - as it should. Instead of whining about China's or any other nation's acts of cyber espionage, just suck it up and focus on incentivizing private companies to create an information security framework that actually works.

Tuesday, June 25, 2013

Everyone is familiar with the marketing buzzword APT (Advanced Persistent Threat) which has become synonymous with what's known as a targeted attack. What I'm writing about today is a targeted Insider attack which occurs when a person tries to become an employee of the targeted company whose data he's seeking to steal. What one Internet humorist (@explanoit) has beautifully dubbed "a Snow job" in honor of the now infamous Edward Snowden, who specifically targeted the NSA as an employer that he intended to steal from.

During 2011, I was asked to participate in evaluating a Fortune 50 company's security operations center (SOC) for any threats that they haven't already prepared to defend against. This is one of the defining characteristics of superior SOC management; i.e., they know that they're missing something and regularly hire independent assessors to determine what that might be. Inferior SOC managers assume that they've got everything under control. Those are the guys that more often than not are being fed their lunch by both insiders and external threat actors.

The company who hired me quietly run their security operations from a different location than their company headquarters. While this isn't generally known, it's advertised in the local papers when they're hiring. The company's public employment ads contained enough detailed information about the position and the skill set that they were looking for to enable a person with malicious purpose to (a) discover where the SOC is and (b) tailor-make their resume to fit the hiring requirements (problem #1). Furthermore, prospective SOC employees weren't vetted for financial problems that might provide leverage for a foreign intelligence service (FIS) to recruit them. In fact, financial difficulty is the most common reason for employees to engage in corporate espionage (problem #2).

Extortion to commit theft of company secrets via threatened exposure of a personal secret (drug addiction, sexual orientation, etc.) is yet another tool used by FIS to convert employees into intelligence assets. All of these red flags may be spotted by empowering at least one HR manager to act like a one-person Red Team by evaluating all candidates who received a hire recommendation for some or all of the security risks that I mentioned above.

In the cleared world where one would expect more attention paid to these red flags, background checks suffer from extensive fraud according to the OPM Inspector General Patrick McFarland during a Senate hearing on the problem last week. A Senator at that hearing mentioned a 2009 GAO report which said that 87% of security clearance reports were missing background information so the problem isn't new. Ironically, these background checks are conducted by contractors.

While targeted spear phishing attacks are pervasive and serious, they pale in comparison to a targeted insider attack like Snowden's against the NSA. And frankly, if a company can up its game to defend against the insider threat through improved background investigations, post-hire monitoring for network access anomalies and other tactics, defending against a spear phishing attack is going to be child's play.

Saturday, June 22, 2013

Taia Global publishes a subscription-only monthly report for our customers which is normally not available to the public. However in this case I thought that the content merited wide-spread release so an edited version of our report which identifies the name of the FSB lab that was part of a Russian industrial espionage ring operating out of a front company in Texas can be read at SOFREP.com.

Monday, June 10, 2013

Independent hacker groups and cyber militias who conduct network attacks complicate international relations between governments. President Obama, at the conclusion of his historic talks with President Xi Jingping last Friday, acknowledged that the "theft of business, financial and military information ... are not issues that are unique to the U.S.-China relationship. Those are issues that are of international concern. Oftentimes it’s nonstate actors who are engaging in these issues as well.”

No nation state can be held responsible for all of the attacks emanating from their own IP addresses. Attribution remains a hard challenge, and the potential for serious miscalculations and misjudgments is high.

Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world.

A partial list of our country experts include:

Peter Matthis (Editor, Jamestown Foundation China Brief): China

Peiran Wang (Ph.D. candidate, The Center for Economic Law and Governance, Faculty of Law and Criminology, Vrije Universiteit Brussel): China

John Scott-Railton (Research Fellow at Citizen Lab, University of Toronto): Syria, Libya

The venue will be in New York City at SOHO House on October 5-6, 2013. Admission will be limited to no more than 80 people so register early. Lunch will be provided on both days. If you'd like to submit a proposal for a talk, please do so by July 15, 2013.

Companies interested in sponsorship options for this event can view our prospectus on Google Drive.

Tuesday, June 4, 2013

During the Russia-Georgia war in August, 2008, Russian hackers created a forum called StopGeorgia.ru to conduct recruitment, training, and attack operations against a list of Georgian government websites. That forum and many other malicious sites before and afterwards were hosted by a U.S. company - SoftLayer Technologies. Today, IBM announced that it's buying SoftLayer for $2 billion; approximately eight times its earnings of 2010.

HostExploit.com has been publishing a list of the world's top 50 bad ISPs since 2009, and SoftLayer and The Planet, which became part of SoftLayer in 2010, has been included each year since then. In 2011, SoftLayer was rated #30 and The Planet was #14. In 2012, SoftLayer moved up to #17. The ratings indicate an estimate of the amount of exploit servers, phishing servers, C&C servers, badware, Zeus servers and infected websites found on each company's respective hardware.

When President Obama issued an Executive Order slapping Syria with sanctions in 2012, SoftLayer was one of the companies that violated sanctions through its hosting of Syrian government websites. SoftLayer and The Planet have always operated and profited in that grey area that so many U.S. ISPs enjoy; i.e., when called on the carpet for its customers' hosting and serving malware they that they aren't responsible for scanning and identifying what's on their leased servers. This is what makes U.S. IP space so popular among international cyber criminals: high uptime, competitive rates, and no one gives a shit what you do. And it's all perfectly legal, not to mention highly profitable.

Monday, June 3, 2013

I've spent the last five years working exclusively in the identification and cataloging of threat actors in cyberspace. I've participated in incident response investigations for some of the world's largest companies and have briefed both U.S. intelligence agencies and those of five foreign countries on the complexity of the cyber threat landscape as well as information warfare planning, research & development, and execution of strategy by both Russia and China. I host three highly regarded executive cyber security conferences each year, and my book Inside Cyber Warfare (in its 2nd edition) is used as a text by the U.S. Air Force Institute of Technology in its cyber warfare certification program.

While I'm enthusiastic about your upcoming meeting with President Xi on mutual cyber security concerns, I'm worried that the strong anti-China sentiment on the Hill and in print by the New York Times, Bloomberg and the Washington Post will have a polarizing effect on your talks. Much of the evidence being touted as pointing to China's acts of cyber espionage is a conflation of multi-state and non-state actors engaging with the same target companies that China is interested in. I personally know of Russian hackers who prefer to attack their targets in different countries via a compromised Chinese computer because there are so many of them and they're so easy to exploit.

While there is a propensity among government officials and infosec experts to blame China first for any attack involving U.S. intellectual property, they often do so without any hard evidence. Chinese IP addresses don't qualify as evidence anymore than U.S. IP addresses do. Open source hacker tools written by Chinese developers and posted on the Web for anyone to download and use cannot be considered evidence of Chinese government involvement. And President Xi will certainly make the same point. While there's no question that the Chinese government engages in cyber espionage, it is not the only nation that does so and it is certainly not solely responsible for the estimated $300 billion in stolen U.S. IP.

Rather than accusing China of something that cannot be proved, I believe that U.S. interests can best be served by cooperating with China on the identification and prosecution of non-state actors who operate in Chinese and U.S. IP space. Media stories and self-serving infosec reports to the contrary, not all Chinese hackers work for the PLA. There are many independent hackers in China, Ukraine, Russia, Romania, Bulgaria, Pakistan, Taiwan and other countries who make money stealing IP and selling it to whomever is willing to pay. Some of these same hackers may be involved in attacking Chinese government websites; particularly those in India, Tibet, and Taiwan. While conventional wisdom groups hackers into silos (Russians rob banks; Chinese steal IP; Iranians attack power companies), that's not a realistic nor fact-based portrayal of the international cyber threat landscape.

There are many ways that China is benefiting from U.S. technology transfer such as their successful campaign to provide monetary incentives for U.S. multinationals to open R&D labs in Shanghai and Beijing (which now number over 1200). These labs employ Chinese engineers who learn U.S. technological secrets and then leave to work for Chinese companies; taking that proprietary knowledge with them. Those same employees have trusted access on their respective corporate intranets. There's no reason for the Chinese government to execute sloppy hacking operations against a U.S. company when that company has offices in Bejing or Shanghai. Access to their IP is a given.

If you and President Xi could reach an agreement to cooperate on reducing the activities of independent non-state actors that have attacked both the U.S. and Chinese businesses and government organizations, it would benefit the U.S. in the following ways:

Chinese threat data is of great interest to U.S. law enforcement organizations.

A reduction of non-state actors currently cluttering up the threat landscape would make it easier to identify state-run cyber espionage operations.

The biggest threat to both Chinese and U.S. critical infrastructure is from non-state actors and, in the future, those may include terrorist groups.

Mr. President, in my opinion, attempting to shame or threaten China over its hacking activities when the available evidence is so easily dismissed makes the U.S. look weak and ineffective. Enlisting China as an ally to identify and interdict the activities of independent threat actors would result in a win for both nations.

I hope this open letter finds it's way to your desk and that it helps inform your strategy.